A TCP connection usually goes through a series of states during its lifetime. The state signifies the status of the TCP connection. In order to determine the connection state, execute the netstat
command:
$ sudo netstat --tcp --all --numeric Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 192.168.2.111:39551 182.19.89.106:80 ESTABLISHED tcp 396 0 192.168.2.111:18358 173.194.36.70:443 TIME_WAIT tcp 0 0 127.0.0.1:80 127.0.0.1:48234 TIME_WAIT
The states can contain any of the following values:
LISTEN
: This indicates that the socket is ready for incoming connectionsSYN_SENT
: This indicates that the socket is attempting to establish a connectionSYN_RECV
: This indicates that the server has received a connection requestESTABLISHED
: This indicates that the server has established a connectionLAST_ACK
: This indicates that the server is waiting for ACK as the socket is closedCLOSE_WAIT
: This indicates that the server is waiting for the socket to close as the client has closed the connectionTIME_WAIT
: This indicates that the server has closed the socket but is waiting for packets in the networkFIN_WAIT1
: This indicates that the connection is shutting down as the socket is closedFIN_WAIT2
: This indicates that the connection is closed and the socket is waiting for shutdown from clientCLOSED
: This indicates that the socket is not being usedWhen a TCP connection closes, the connection moves to the TIME_WAIT
state. The connection remains in this state for a long period of time, usually twice the maximum segment life (msl
). The reason for waiting is that packets may arrive out of order or be retransmitted after the connection has been closed. Thus, the connection is being kept around so that these delayed packets can be handled appropriately.
The long TIME_WAIT
state results in the memory and ports getting blocked by closed connections. Thus, a heavily loaded server can run out of resources, which can be caused by a large number of connections in the TIME_WAIT
state.
The default MSL is 60 seconds, thus making the TIME_WAIT
state last for 2 minutes for each closed socket. The MSL can be listed for the net.ipv4.tcp_fin_timeout
key:
$ sysctl net.ipv4.tcp_fin_timeout net.ipv4.tcp_fin_timeout = 60
To make the TIME_WAIT
state last for 40 seconds, decrease the value of net.ipv4.tcp_fin_timeout
to 20 seconds:
$ sudo sysctl -w net.ipv4.tcp_fin_timeout = 20 net.ipv4.tcp_fin_timeout = 20
Another way of improving the utilization of TCP sockets is to configure the TCP behavior using tcp_tw_reuse
. The property allows TCP to reuse the TIME_WAIT
socket when it is safe from the protocol viewpoint. The configuration is disabled by default; enable it by setting the net.ipv4.tcp_rw_reuse
key:
$ sysctl net.ipv4.tcp_tw_reuse net.ipv4.tcp_tw_reuse = 0 $ sudo sysctl -w net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_reuse = 1
The kernel also presents the tcp_tw_recycle
option as an alternative to tcp_tw_reuse
. The tcp_tw_recycle
option is a more aggressive version of tcp_tw_reuse
and enables fast recycling of TIME_WAIT
connections:
$ sysctl net.ipv4.tcp_tw_recycle net.ipv4.tcp_tw_recycle = 0
It is not recommended that you enable this option as the kernel makes assumptions before determining whether to reuse a socket. These assumptions can pose problems when working with a NAT, stateful firewall.
3.147.44.182